What the f*** is GDPR? Here’s what you need to know to stay above the law

You must by now have heard of the incoming General Data Protection Regulation (GDPR) legislation, that takes effect on 25th May. Whether fearing it as the next “Y2K” disaster, lambasting it for onerous compliance requirements, or celebrating the new rights every citizen will get to control their personal data in the hands of big corporations, GDPR has been every bit as controversial as was imagined when it was signed into law in 2016.

GDPR will undoubtedly change your professional and personal life in a variety of ways

AV for end-users

GDPR will undoubtedly change your professional and personal life in a variety of ways, and you may already be seeing differences in how companies sell to you, how websites gain your consent and how your social networks treat you, but you may also be responsible for implementing change yourself.

In the AV sector, we exist in a time of big change. Huge IT firms threaten to gobble up our industry with inexpensive system-on-chip, turnkey AV solutions, the wired network is starting to dictate the quality of experience our users can expect, and inflexible, expensive hardware devices are giving way to cloud platform services that are agile, responsive and always up to date.

Within this changing landscape, GDPR adds both additional barriers to successful implementation of systems and a new paradigm of market competition, helping the innovative and high-quality solutions rise to the top. The implementation of the regulations should give your end users the trust that the data the systems are collecting on them will be handled responsibly and lawfully. It may seem like a lot of paperwork, but restoring public faith in good data management is the spirit of the law in this case.

It is not acceptable to collect data “just because,” so you will need to define the reason for collection

Organisations are increasingly looking to the data that they hold for a variety of purposes from profiling the kinds of people who use various services, to tailoring communications and advertising content, to making strategic decisions about the direction of the company. While these uses and more under the GDPR remain legal, there are additional steps to go through when collecting and storing data.

As AV managers, practitioners and architects of new and changed systems capable of collecting, storing and transmitting personal data (which the GDPR defines as anything that can identify a person, which can include in some circumstances job title, email addresses, usernames, phone numbers and IP addresses), our roles will change to include a GDPR compliance responsibility for these systems. Cloud-based solutions such as collaboration, conferencing, document sharing or meeting room booking apps are particularly worth looking at in my experience, but it is well worth reviewing all the tools that are already deployed in the board room, training space and lecture room to understand whether they collect data, transmit it off-site or are accessible by third parties. Work closely with your integration partner or the equipment vendor to get a clear understanding of how they treat data that is collected.

Whether you consider yourself a manufacturer, a distributer, a reseller or a customer, your organisation is likely to require a level of GDPR compliance from all the other companies you share data with

Your next stage in the review is to understand the flow of data, as well as its storage, encryption, sharing and the reason you and the third party have for collecting it in the first place, which must be communicated to your users. It is not acceptable to collect data “just because,” so you will need to define the reason for collection, which can be a legal requirement, a legitimate business interest, information necessary to run the service in the first place, or you must ask the individual to consent to it, and there are specific rules around how to do that too. Your organisation should already have a GDPR task force looking at HR, Finance, IT and Customer Records, that can help you with compliance in this area.

It is clear that the market is taking this legislation seriously, and with huge fines for noncompliance

A data sharing or data processing agreement may also be necessary if a supplier, software vendor or service provider is processing personal data – for example providing a room booking platform that captures the name, phone number and email address of the individual booking the room, and generates management reports. This is a form of contract that sets out what data is exchanged, what it is used for, how it is stored and who would have access to it. This is important because under the new regulations, both you and the third party are liable for that data, and you will need some assurances that the data you are sharing is being stored safely, deleted appropriately and not being used for any purpose other than what your users are consenting to. If your organisation operates any outsourced or managed services like support, consultancy, user engagement or joint ventures, you will almost certainly need this beyond the May deadline.

Rights exercise

Unless AV is the core of your organisation’s technology infrastructure, or you already have a number of cloud applications deployed for presentation, you are unlikely to need to participate in fulfilling a GDPR rights exercise (where an individual requests a copy of data held about them, the amendment or deletion of that data, or the suspension of processing of it). It is, however, worth considering how you would respond to a request for data deletion for a named individual for systems that fall under your purview, and how you would identify data that was in scope of GDPR – many solutions are not designed with GDPR in mind and may require re-architecting to make it possible to comply. For all rights related queries, strict time limits apply, so if you collect personally identifying information about individuals as part of your services, it is good practice to audit that data, make sure you know where it is kept, and document how you would go about deleting references to an individual if required.

GDPR adds an element of competition to the marketplace which previously didn’t exist

Procurement

For AV procurement, there is much better news – GDPR adds an element of competition to the marketplace which previously didn’t exist. As an integrator or manufacturer, ask yourself – would you purchase a meeting room solution from a vendor who could not guarantee the safety of the information it would gather about people who use the room? What about a cloud signage vendor whose infrastructure is run outside of the European Union – would your staff still freely consent to having their photos, news, events and contact details displayed?

Whether you consider yourself a manufacturer, a distributer, a reseller or a customer, your organisation is likely to require a level of GDPR compliance from all the other companies you share data with, and it is interesting for my firm as a systems integrator and cloud platform provider to see tenders and PPQ documents on the market now with specific requirements around GDPR compliance, ISO 27001 or equivalent certification for organisations, and SOC2/SOC3 standards for data stored in the cloud.

It is clear that the market is taking this legislation seriously, and with huge fines for noncompliance there is a great deal of trepidation, with customers particularly in higher education, local government and corporate sectors taking no risks. As more and more AV systems become cloud based, everyone involved in the supply chain should be concerned that the solutions and services they are offering are acceptable to customers from the data perspective, and leveraging the main advantage of cloud services – flexibility and agility – to re-architect their solutions if not.

Breach Procedures

An area of GDPR that will be of particular concern to the AV sector at large will be the new rules around breach detection and notification. With a scope that may include network-connected hardware solutions such as switcher/scalers, control panels and smart TVs, organisations will have to take measures to defend systems against attack, show a good process for proactively managing their security and implement processes to detect data breaches.

For those organisations that have perhaps overlooked AV device security in the past, and allowed products with weak encryption, default passwords, exposed network services like telnet and obsolete firmware versions to go unchecked, now is the time to work collaboratively to implement robust safeguards against malicious access to those devices, and to minimise the impact of a system compromise where it is not possible. In addition, these organisations should be as demanding of suppliers with whom they share access to the systems, to ensure that a breach on their end if undetected cannot result in the same loss of data.

Whether GDPR will ultimately be a force for good is for the next few years to decide, but currently it is a force for change

Under the old Data Protection Act (which will be superseded by GDPR), third-party data processors were not liable for breaches. With GDPR, not only are they absolutely liable, but you are too if they suffer a breach of data they collected from you.

The AV marketplace is awash with agile, innovative providers who are keen to showcase the latest technology, processes and services to help businesses communicate and collaborate effectively. My advice to those whose suppliers are not talking to you about this; find other suppliers.

Conclusion

It is hard to find a loser with the new regulations. Private citizens are granted a swathe of new legal rights to safeguard their data; AV resellers and integrators gain a new dimension of competition with their rivals in the sector; and manufacturers have a clear picture of the direction EU citizens wish their products to take, and have almost two years of run-up to ensure their products are compliant with legislation that is the strictest and most punitive on businesses currently on the books anywhere in the world.

Whether GDPR will ultimately be a force for good is for the next few years to decide, but currently it is a force for change that is flooding the technology world, and just like in any flood the innovators will rise to the top.